none
Restricting user logon to a set of PCs through Group Policy

    Question

  • Scenario :

    ADS Server Ws2012R2 

    Clients under consideration  : All with Windows 7 or Windows 8.1   - 10 in number. ( In a single department- Accounts Deptt)

    There are 150 more such clients across organization all in a single premises.

    We would like to implement following restrictions through group policy.

    People from Accounts department should be able to login from any of the 10 clients in the accounts department. But they should not be allowed to login using their accounts credentials from any other PC ( apart from Accounts department).

    In short, we do not want an Accounts user going across to some  other department and working from there with his login name and password.

    Let me know how one can implement this., if it is possible.

    Tuesday, November 08, 2016 1:20 PM

Answers

  • Hi,
    Regarding to prevent a certain group of people to use certain PCs, you could configure Deny log on locally policy under Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment, please follow the article as below step by step to have a try:
    Prevent Some Users from Logging on to Certain Domain Workstations
    http://mintywhite.com/windows-7/7maintenance/prevent-users-logging-domain-workstations/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    In addition, you could also restrict the computers which user could log on from ADUC:
    Open ADUC, right click the user account properties, click account tab and you will find the option as below, change the “Log On To” setting from the default “All computers” to “The following computers” and then specify the computer name(s). Now the user can only login to those specified computers.

    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, November 09, 2016 2:31 AM
    Moderator

All replies

  • Hi,
    Regarding to prevent a certain group of people to use certain PCs, you could configure Deny log on locally policy under Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment, please follow the article as below step by step to have a try:
    Prevent Some Users from Logging on to Certain Domain Workstations
    http://mintywhite.com/windows-7/7maintenance/prevent-users-logging-domain-workstations/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    In addition, you could also restrict the computers which user could log on from ADUC:
    Open ADUC, right click the user account properties, click account tab and you will find the option as below, change the “Log On To” setting from the default “All computers” to “The following computers” and then specify the computer name(s). Now the user can only login to those specified computers.

    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, November 09, 2016 2:31 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, November 14, 2016 9:21 AM
    Moderator